I recently updated a django api from 2.2 to 3.1. I updated the dockerfile and related bash files like django-cookiecutter did https://github.com/pydanny/cookiecutter-django/commit/b22045bcd4ebf563ccdcf226fb389a6bb71e2654#diff-1872e6a6f0bbcb27f2eda185ac89eed05eb7a402b298e58bcbef29bf039c2c13
The upgrade mostly went well except now in production we cannot send email. I have a minimal management command I run in production to test email settings
from django.conf import settings
from django.core.mail import send_mail
from django.core.management.base import BaseCommand
class Command(BaseCommand):
"""
Sends an email to the provided addresses.
"""
help = "Sends an email to the provided addresses."
def add_arguments(self, parser):
parser.add_argument("emails", nargs="+")
def handle(self, *args, **options):
self.stdout.write(f"send_email from: {settings.EMAIL_FROM_FIELD}")
for email in options["emails"]:
try:
send_mail(
"expert-system test email",
"a simple email",
settings.EMAIL_FROM_FIELD,
[email],
)
except BaseException as e:
self.stdout.write(f"Problem sending email: {e}")
This returns
$ python manage.py send_email harry@test.com
send_email from: test@test.com
Problem sending email: EOF occurred in violation of protocol (_ssl.c:1125)
Another stackoverflow suggested testing if tls 1.1 is supported.
$ python -c "from urllib.request import urlopen ;
print(urlopen('https://www.howsmyssl.com/a/check').read())"
b'{"given_cipher_suites":["TLS_AES_256_GCM_SHA384","TLS_CHACHA20_POLY1305_SHA256","TLS_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_DHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256","TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_DHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384","TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384","TLS_DHE_RSA_WITH_AES_256_CBC_SHA256","TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256","TLS_DHE_RSA_WITH_AES_128_CBC_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA","TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","TLS_DHE_RSA_WITH_AES_256_CBC_SHA","TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","TLS_DHE_RSA_WITH_AES_128_CBC_SHA","TLS_RSA_WITH_AES_256_GCM_SHA384","TLS_RSA_WITH_AES_128_GCM_SHA256","TLS_RSA_WITH_AES_256_CBC_SHA256","TLS_RSA_WITH_AES_128_CBC_SHA256","TLS_RSA_WITH_AES_256_CBC_SHA","TLS_RSA_WITH_AES_128_CBC_SHA","TLS_EMPTY_RENEGOTIATION_INFO_SCSV"],"ephemeral_keys_supported":true,"session_ticket_supported":true,"tls_compression_supported":false,"unknown_cipher_suite_supported":false,"beast_vuln":false,"able_to_detect_n_minus_one_splitting":false,"insecure_cipher_suites":{},"tls_version":"TLS 1.3","rating":"Probably Okay"}'
How do I get email to send on production?
So in short, it's very likely your mail server only supports TLS 1.1 or even only TLS 1.0 and the slim-buster image no longer has support for those protocols.
Going back to 3.7-alpine (which is known working combination) or an older ubuntu/debian version which still supports those protocols will allow you to send mail again.
Then you should upgrade your mail server, cause both TLS 1.0 and TLS 1.1 should have died long ago.
Edit:
Another way to test your mailserver is to use openssl's s_client command:
openssl s_client -no_tls1 -no_tls1_1 -no_tls1_2 -connect your.mail.host:port
This will likely fail. Then remove a -no_tls flag till it starts working and you know the highest protocol it supports.
Note: -no_tls1_2 is only supported on openssl versions that support TLSv1.3